ISO 22301
International standard for business continuity management systems; required for critical UK public sector contracts under continuity expectations.
Definition
ISO 22301 is the international standard for business continuity management systems (BCMS). It specifies requirements for planning, implementing, operating, monitoring, and improving a BCMS that helps organisations protect against, prepare for, respond to, and recover from disruptive incidents. Certification is increasingly required by UK public sector buyers for critical contracts (health, emergency services, critical infrastructure) under the wider continuity expectations following the 2017 WannaCry NHS attack and subsequent ransomware incidents.
How it works in practice
ISO 22301 certification requires implementing a BCMS covering: business impact analysis (identifying critical activities and recovery time objectives), risk assessment (identifying threats to continuity), business continuity strategy (alternative ways to continue critical activities), business continuity plans (documented procedures for response and recovery), exercising and testing (validating plans work), and improvement. The Business Impact Analysis (BIA) is the core diagnostic: it identifies critical activities, their interdependencies, the maximum tolerable outage, and the recovery time objective for each. The strategy then identifies how each critical activity can be continued during disruption: alternative sites, alternative suppliers, alternative delivery modes. Plans operationalise the strategy: who does what, when, with what resources, communicating to whom. Exercising tests the plans through tabletop scenarios and technical recovery tests. Certification involves implementing the BCMS, internal audit cycle, management review, and external audit. The cost is similar to other management system standards: £15-£40K for first-time certification plus internal effort. Many public sector buyers accept BS 25999 (the older British standard) and ISO 22301 interchangeably; some accept other equivalent continuity frameworks. The Civil Contingencies Act 2004 imposes specific continuity duties on category 1 responders; ISO 22301 substantially supports CCA 2004 compliance.
Common questions
Is ISO 22301 required for all public sector contracts?
Increasingly required for critical contracts (health, emergency services, critical infrastructure) and large managed services. For routine services certification may not be mandatory but evidence of continuity capability (named plan, recent exercise, RTO commitments) is widely expected.
How does ISO 22301 relate to incident management?
They are complementary. Incident management is the day-to-day response to operational incidents within agreed SLAs. Business continuity is the broader capability to maintain critical service during major disruption: site loss, cyber attack, key staff absence, supply chain breakdown. Strong organisations implement both: ITIL-style incident management for routine incidents, ISO 22301 BCMS for major disruption.
How often should continuity plans be tested under ISO 22301?
The standard requires regular exercising. Common practice is annual tabletop exercises plus periodic technical recovery tests. Real incidents (any P1 incident, any security incident) count as tests; the post-incident review should explicitly evaluate continuity response. Plans not tested for over a year typically degrade in effectiveness.